Bug#1086163: curl 7.88.1-10+deb12u8 flagged for acceptance
package release.debian.org tags 1086163 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: curl Version: 7.88.1-10+deb12u8 Explanation: fix incorrect handling of some OCSP responses [CVE-2024-8096]
Bug#1086611: node-dompurify 2.4.1+dfsg+~2.4.0-2+deb12u1 flagged for acceptance
package release.debian.org tags 1086611 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: node-dompurify Version: 2.4.1+dfsg+~2.4.0-2+deb12u1 Explanation: fix prototype pollution issues [CVE-2024-45801 CVE-2024-48910]
Bug#1083162: sqlite3 3.40.1-2+deb12u1 flagged for acceptance
package release.debian.org tags 1083162 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: sqlite3 Version: 3.40.1-2+deb12u1 Explanation: fix a buffer overread issue [CVE-2023-7104], a stack overflow issue and an integer overflow issue
Bug#1086632: apr 1.7.2-3+deb12u1 flagged for acceptance
package release.debian.org tags 1086632 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: apr Version: 1.7.2-3+deb12u1 Explanation: use 0600 perms for named shared mem consistently [CVE-2023-49582]
Bug#1086613: ipmitool 1.8.19-4+deb12u2 flagged for acceptance
package release.debian.org tags 1086613 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: ipmitool Version: 1.8.19-4+deb12u2 Explanation: fix a buffer overrun in "open" interface; fix "lan print fails on unsupported parameters"; fix reading of temperature sensors; fix using hex values when sending raw data
Bug#1086151: util-linux 2.38.1-5+deb12u2 flagged for acceptance
package release.debian.org tags 1086151 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: util-linux Version: 2.38.1-5+deb12u2 Explanation: allow lscpu to identify new Arm cores
Bug#1086601: intel-microcode 3.20240910.1~deb12u1 flagged for acceptance
package release.debian.org tags 1086601 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: intel-microcode Version: 3.20240910.1~deb12u1 Explanation: new upstream release; security fixes [CVE-2024-23984 CVE-2024-24968]
Bug#1086163: bookworm-pu: package curl/7.88.1-10+deb12u8
Control: tags -1 + confirmed On Sun, 2024-10-27 at 22:06 +, aquilamac...@riseup.net wrote: > Package: release.debian.org > Control: affects -1 + src:curl > X-Debbugs-Cc: c...@packages.debian.org, aquilamac...@riseup.net, > samuel...@debian.org > User: release.debian@packages.debian.org > Usertags: pu Note that the usertagging here didn't work, so the bug was not displayed in the SRM section of the release.d.o BTS view. My guess is that the broken linewrapped X-Debbugs-CC header lead to the "samuel...@debian.org" line being treated as the first line of the body, and thus the following lines not processed as pseudo-headers. [...] > The reason is to fix CVE-2024-8096 [1], which involves improper > handling > of OCSP stapling in curl when using GnuTLS as the TLS backend. If the > OCSP status returns an error other than "revoked" (e.g., > "unauthorized"), curl fails to mark the certificate as invalid. Please go ahead. Regards, Adam
Bug#1086613: bookworm-pu: package ipmitool/1.8.19-4+deb12u2
Control: tags -1 + confirmed On Sat, 2024-11-02 at 15:13 +0800, Shengqi Chen wrote: > There are some upstream bugs. Please see Changes section for details. Please go ahead. Regards, Adam
Bug#1086611: bookworm-pu: package node-dompurify/2.4.1+dfsg+~2.4.0-2+deb12u1
Control: tags -1 + confirmed On Sat, 2024-11-02 at 07:20 +0100, Yadd wrote: > node-dompurify is vulnerable to prototype pollutions. Please go ahead. Regards, Adam
Bug#1086601: bookworm-pu: package intel-microcode/3.20240910.1~deb12u1
Control: tags -1 + confirmed On Fri, 2024-11-01 at 21:14 -0300, Henrique de Moraes Holschuh wrote: > As requested by the security team, I would like to bring the > microcode update level for Intel processors in Bullseye and Bookworm > to match what we have in Sid and Trixie. Please go ahead. Regards, Adam
Bug#1086164: glibc 2.36-9+deb12u9 flagged for acceptance
package release.debian.org tags 1086164 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: glibc Version: 2.36-9+deb12u9 Explanation: change Croatian locale to use Euro as currency; revert upstream commit that modified the GLIBC_PRIVATE ABI, causing crashes with some static binaries on arm64; vfscanf(): fix matches longer than INT_MAX; ungetc(): fix uninitialized read when putting into unused streams, backup buffer leak on program exit; mremap(): fix support for the MREMAP_DONTUNMAP option; resolv: fix timeouts caused by short error responses or when single-request mode is enabled in resolv.conf
Bug#1080370: Acknowledgement (bookworm-pu: package mariadb 1:10.11.9-0+deb12u1)
On Mon, 2024-09-02 at 17:16 -0700, Otto Kekäläinen wrote: > /edit > > I propose that the latest minor maintenance version of MariaDB be > included in > the stable release update of Debian. This bug report is to make it > visible and > trackable to the release team that this update is available and work > is in > progress. Unfortunately the arm64 and s390x builds both fail with test failures. Regards, Adam
Bug#1086157: openssl 3.0.15-1~deb12u1 flagged for acceptance
package release.debian.org tags 1086157 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: openssl Version: 3.0.15-1~deb12u1 Explanation: new upstream stable release; fix buffer overread issue [CVE-2024-5535], out of bounds memory access [CVE-2024-9143]
Bug#1086151: bookworm-pu: package util-linux/2.38.1-5+deb12u2
Control: tags -1 + confirmed On Sun, 2024-10-27 at 16:41 +0100, Chris Hofstaedtler wrote: > ema@ asked in #1085682 to improve reporting of ARM CPU core names in > lscpu for bookworm. > > Just as background: on x86, /proc/cpuinfo provides CPU names etc, but > on ARM it doesn't; instead lscpu has lists in its source code. Please go ahead. Regards, Adam
Bug#1086164: bookworm-pu: package glibc/2.36-9+deb12u9
Control: tags -1 + confirmed d-i On Sun, 2024-10-27 at 23:48 +0100, Aurelien Jarno wrote: > The upstream stable branch got a few fixes in the last months, and > this update pulls them into the debian package. Please go ahead. Regards, Adam
Bug#1086157: bookworm-pu: package openssl/3.0.15-1~deb12u1
Control: tags -1 + d-i On Sun, 2024-10-27 at 21:01 +0100, Sebastian Andrzej Siewior wrote: > This is a new stable release by upstream of OpenSSL. I added > additionally a fix for CVE-2024-9143 which is classified as low and > not yet part of an OpenSSL release in the 3.0.x series. I also made > an upload to unstable with a fix for this CVE. > > I am not aware of a regression. CCing for d-i visibility. Regards, Adam
Bug#1086116: gtk+3.0 3.24.38-2~deb12u3 flagged for acceptance
package release.debian.org tags 1086116 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: gtk+3.0 Version: 3.24.38-2~deb12u3 Explanation: fix letting Orca announce initial focus
Bug#1084907: systemd 252.31-1~deb12u1 flagged for acceptance
package release.debian.org tags 1084907 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: systemd Version: 252.31-1~deb12u1 Explanation: new upstream stable release
Bug#1084845: dpdk 22.11.6-1~deb12u1 flagged for acceptance
package release.debian.org tags 1084845 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: dpdk Version: 22.11.6-1~deb12u1 Explanation: new usptream stable release
Bug#1081535: llvm-toolchain-15 15.0.6-4+b1 flagged for acceptance
package release.debian.org tags 1081535 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: llvm-toolchain-15 Version: 15.0.6-4+b1 Explanation: architecture-specific rebuild on mips64el to sync version with other architectures
Bug#1080363: galera-4 26.4.20-0+deb12u1 flagged for acceptance
package release.debian.org tags 1080363 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: galera-4 Version: 26.4.20-0+deb12u1 Explanation: new upstream stable release
Bug#1080370: mariadb 10.11.9-0+deb12u1 flagged for acceptance
package release.debian.org tags 1080370 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: mariadb Version: 10.11.9-0+deb12u1 Explanation: new upstream stable release; fix security issue [CVE-2024-21096]
Bug#1082118: bookworm-pu: package allow-html-temp/10.0.4-1~deb12u1
On Wed, 2024-09-18 at 16:49 +0200, Mechtilde Stehmann wrote: > Thunderbird will come with a new version (>=128.2.x) into stable. > This need an update for the Add-Ons (here: allow-html-temp) too > > [ Impact ] > If the update isn't approved the user can't anymore use it > in recent thunderbird The latest thunderbird DSA (from today) is still 115.X. Does the new allow-html-temp also work with that, or will it be a case of not being able to release the new extension to stable until Thunderbird 128.X actually reaches -security? (Similar questions apply to the other p-u requests for extensions for the same reason.) Regards, Adam
Bug#1074088: cjson 1.7.15-1+deb12u2 flagged for acceptance
package release.debian.org tags 1074088 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: cjson Version: 1.7.15-1+deb12u2 Explanation: fix segmentation violation issue [CVE-2024-31755]
Bug#1083223: clamav 1.0.7+dfsg-1~deb12u1 flagged for acceptance
package release.debian.org tags 1083223 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: clamav Version: 1.0.7+dfsg-1~deb12u1 Explanation: new upstream stable release; fix denial of service issue [CVE-2024-20505], file corruption issue [CVE-2024-20506]
Bug#1083090: ostree 2022.7-2+deb12u1 flagged for acceptance
package release.debian.org tags 1083090 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: ostree Version: 2022.7-2+deb12u1 Explanation: prevent crashing libflatpak when using curl 8.10
Bug#1082701: iputils 20221126-1+deb12u1 flagged for acceptance
package release.debian.org tags 1082701 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: iputils Version: 20221126-1+deb12u1 Explanation: fix incorrect handling of ICMP responses intended for other processes
Bug#1082024: timeshift 22.11.2-1+deb12u1 flagged for acceptance
package release.debian.org tags 1082024 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: timeshift Version: 22.11.2-1+deb12u1 Explanation: add missing dependency on pkexec
Bug#1084398: Acknowledgement (mirror listing update for mirror.tngnet.com)
Hi, There appears to have been a brief issue reaching your host from the checker at around 14:45UTC on the 8th, but other than that it looks like all the checks have been OK over the past few days. Regards, Adam On Thu, 2024-10-10 at 10:51 +, TNGNET Operations wrote: > --Please reply above this line-- > Hi, > For the installer part, got it. > > I'd generally allow around 10 days for a new mirror to appear on > > the > > website list, assuming automated checks find no issues with it > > during > > that time. > Could you see if at this very moment all automatic checks are working > out? > As when i look here http://ftp.de.debian.org/dmc/today it says X:3 > (404 Not found) under http, while when I go to the website itself it > works fine, also when I manually change the apt links to the mirror > in Debian it works as well. > Best regards from Infra & Systems Captain @ TNGNET. > this email is a service from tngnet >
Bug#1084398: Acknowledgement (mirror listing update for mirror.tngnet.com)
Hi, I'd generally allow around 10 days for a new mirror to appear on the website list, assuming automated checks find no issues with it during that time. For the installation side, the mirror list for the most common types of installer images is embedded into the image when it's created, so new mirrors won't be included until the choose-mirror package gets re- uploaded and the relevant images next get built (which for stable means at best at the next point release, possibly longer depending on whether there's a choose-mirror upload to proposed-updates in time). Regards, Adam On Wed, 2024-10-09 at 21:48 +, TNGNET Operations wrote: > --Please reply above this line-- > Hi Adam, > Could you tell us how long it takes normally for our mirror to appear > on the Mirror country list and during the Debian installations, as > now we have to pick a different mirror during installation and then > update it afterwards. > Best regards from Infra & Systems Captain @ TNGNET. > this email is a service from tngnet >
Bug#1077344: mirrors: Request of Changing DNS Record for ftp.tw.debian.org
On Mon, 2024-07-29 at 01:22 +0800, Jasper Yu wrote: > +CDImage-http: /debian-cd/ > +Ports-architecture: alpha hppa hurd-i386 ia64 m68k powerpc ppc64 sh4 > sparc64 x32 > +Ports-http: /debian-ports/ > +Ports-rsync: debian-ports/ Applied, thanks. It would have been a little cleaner if that had been separated from the ftp.tw discussion. Regards, Adam
Bug#1077344: mirrors: Request of Changing DNS Record for ftp.tw.debian.org
On Mon, 2024-07-29 at 01:22 +0800, Jasper Yu wrote: > The following is the sample patch diff we wrote to apply, we also > have CDImage and Ports as well. It is based on > commit 2909334fb40c8705163c7ace54485637c816a433. > > --- Mirrors.masterlist.in.old 2024-07-29 01:11:25 > +++ Mirrors.masterlist.in.new 2024-07-29 01:14:45 > @@ -304,7 +304,7 @@ > > Site: ftp.tw.debian.org > Country: TW Taiwan > -Includes: opensource.nchc.org.tw > +Includes: opensource.nchc.org.tw mirror.twds.com.tw > > Site: ftp.uk.debian.org > Country: GB United Kingdom > @@ -4324,9 +4324,14 @@ > Country: MX Mexico > > Site: mirror.twds.com.tw > +Candidate: 10 ftp.tw.debian.org I've applied this, but note that there are two parts here - this change makes the mirror status system track whether your mirror is currently in a suitable state to be (part of) ftp.tw.debian.org, but it doesn't affect DNS in any way. That will need to be a separate manual DNS change, which I may look at a little later depending on the outcome of this change. Regards, Adam
Bug#1082735: mirror submission for mirror.bgp.rodeo
On Wed, 2024-09-25 at 07:19 +, Nick Bouwhuis wrote: > Submission-Type: new > Site: mirror.bgp.rodeo > Archive-architecture: amd64 arm64 > Archive-http: /debian/ > Archive-rsync: debian/ > Maintainer: Nick Bouwhuis > Country: NL Netherlands > Location: Amsterdam Our automated checks noticed an issue with your setup that you may want to address: o We recommend mirrors not sync directly from service aliases such as ftp..debian.org (only HTTP is guaranteed to be available at ftp. sites). Maybe change your config to sync from the site currently backing the ftp..debian.org service you sync from? Regards, Adam
Bug#1082645: mirror submission for mirror.creoline.net
On Mon, 2024-09-23 at 22:42 +, creoline Mirror Support wrote: > Submission-Type: new > Site: mirror.creoline.net > Archive-architecture: ALL amd64 arm64 armel armhf hurd-i386 hurd- > amd64 i386 mips mips64el mipsel powerpc ppc64el riscv64 s390x > Archive-http: /debian/ > Archive-rsync: debian/ > Maintainer: creoline Mirror Support > Country: DE Germany > Location: Frankfurt > Sponsor: creoline GmbH https://www.creoline.com Our automated checks noticed an issue with your setup that you may want to address: o We recommend mirrors not sync directly from service aliases such as ftp..debian.org (only HTTP is guaranteed to be available at ftp. sites). Maybe change your config to sync from the site currently backing the ftp..debian.org service you sync from? Regards, Adam
Bug#1081610: mirror submission for mirror.us.mirhosting.net
On Fri, 2024-09-13 at 08:21 +, MIRhosting wrote: > Submission-Type: new > Site: mirror.us.mirhosting.net > Archive-architecture: ALL amd64 arm64 armel armhf hurd-i386 hurd- > amd64 i386 mips mips64el mipsel powerpc ppc64el riscv64 s390x > Archive-http: /debian/ > Archive-rsync: debian/ > Maintainer: MIRhosting > Country: US United States > Location: New York, NY > Sponsor: MIRhosting https://mirhosting.com Our automated checks noticed an issue with your setup that you may want to address: o We recommend mirrors not sync directly from service aliases such as ftp..debian.org (only HTTP is guaranteed to be available at ftp. sites). Maybe change your config to sync from the site currently backing the ftp..debian.org service you sync from? Regards, Adam
Bug#1082119: mirrors: Please add the ftp.mx.debian.org alias for lidsol.fi-b.unam.mx
On Wed, 2024-09-18 at 09:05 -0600, Gunnar Wolf wrote: > Back in July, the mirror operated by LIDSOL (Laboratorio de > Investigación y Desarrollo de Software Libre) at UNAM, the university > I work at, was added to the mirror list (lidsol.fi-b.unam.mx). > > The mirror has been stable and usable, and we continue to monitor it. How is the mirror updated? Our monitoring suggests that the mirror is running updates almost once an hour, with a daily average of 22 different update times reported in traces. You can see at https://mirror-master.debian.org/status/mirror-info/lidsol.fi-b.unam.mx.html that there are many update times that aren't near dinstall / mirror push times. Regards, Adam
Bug#924172: extra "/english" added to path of CSS and other files in /devel/website/stats
On Wed, 2020-08-19 at 13:02 +0200, Laura Arjona Reina wrote: > Hi all > > The issue with sitemaps was fixed with commit > > https://salsa.debian.org/webmaster-team/webwml/-/commit/83f7cae0178074e5e4f913168b4b42c7be90af13 > > as explained before :-) > > However, a similar issue has been discovered in the > > https://www.debian.org/devel/website/stats/ pages (all languages): > > the paths linking to CSS and other places (header and navbar) include > an extra /english/ that breaks the link (and thus, for example, CSS > is not loaded). I think this got fixed at some point - at least, https://www.debian.org/devel/website/stats/index.de.html seems to work. Regards, Adam
Bug#1082783: puredata 0.53.1+ds-2+deb12u1 flagged for acceptance
package release.debian.org tags 1082783 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: puredata Version: 0.53.1+ds-2+deb12u1 Explanation: fix privilege escalation issue [CVE-2023-47480]
Bug#1081394: node-ytdl-core 4.11.2+dfsg+~cs4.10.8-1+deb12u1 flagged for acceptance
package release.debian.org tags 1081394 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: node-ytdl-core Version: 4.11.2+dfsg+~cs4.10.8-1+deb12u1 Explanation: fix build failure
Bug#1082902: nghttp2 1.52.0-1+deb12u2 flagged for acceptance
package release.debian.org tags 1082902 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: nghttp2 Version: 1.52.0-1+deb12u2 Explanation: fix denial of service issue [CVE-2024-28182]
Bug#1082155: amanda 3.5.1-11+deb12u2 flagged for acceptance
package release.debian.org tags 1082155 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: amanda Version: 3.5.1-11+deb12u2 Explanation: update incomplete fix for CVE-2022-37704, restoring operation with xfsdump
Bug#1081418: node-mdn-browser-compat-data 5.2.20+~3.33.0-1+deb12u1 flagged for acceptance
package release.debian.org tags 1081418 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: node-mdn-browser-compat-data Version: 5.2.20+~3.33.0-1+deb12u1 Explanation: fix build failure
Bug#1081413: node-tap 16.3.2+ds1+~cs50.8.16-1+deb12u1 flagged for acceptance
package release.debian.org tags 1081413 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: node-tap Version: 16.3.2+ds1+~cs50.8.16-1+deb12u1 Explanation: fix build failure
Bug#1081410: node-rollup-plugin-node-polyfills 0.2.1+dfsg+~0.11.0-1+deb12u1 flagged for acceptance
package release.debian.org tags 1081410 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: node-rollup-plugin-node-polyfills Version: 0.2.1+dfsg+~0.11.0-1+deb12u1 Explanation: fix build failure
Bug#1081399: node-es-module-lexer 1.1.0+dfsg-2+deb12u1 flagged for acceptance
package release.debian.org tags 1081399 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: node-es-module-lexer Version: 1.1.0+dfsg-2+deb12u1 Explanation: fix build failure
Bug#1081388: node-y-websocket 1.4.5-4+deb12u1 flagged for acceptance
package release.debian.org tags 1081388 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: node-y-websocket Version: 1.4.5-4+deb12u1 Explanation: fix build failure
Bug#1081389: node-y-protocols 1.0.5-6+deb12u1 flagged for acceptance
package release.debian.org tags 1081389 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: node-y-protocols Version: 1.0.5-6+deb12u1 Explanation: fix build failure
Bug#1081343: node-globby 13.1.3+~cs16.25.40-1+deb12u1 flagged for acceptance
package release.debian.org tags 1081343 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: node-globby Version: 13.1.3+~cs16.25.40-1+deb12u1 Explanation: fix build failure
Bug#876178: This still impacts 4.18.4-1
Still impacts 4.18.4-1, although perhaps the bug should be against something gio related, or even tasksel or debian-installer? I ran into this when running through the Debian Installer and selecting XFCE as part of tasksel. Perhaps that task should bring in gvfs-backends? "Failed to browse the network" comes from https://gitlab.xfce.org/xfce/thunar/-/blob/master/thunar/thunar-window.c?ref_type=heads#L4731 but the "Location not supported" doesn't seem to be in that codebase. Thanks, Adam
Bug#1074463: Bashbro
Hi Soren, I missed a few comments, sorry about that. I've updated the version on the upstream to reflect the debian version and added the doc file. The other comments were addressed as far as I know, if there is anything else please let me know. Latest (1.12) is uploaded to mentors. Thanks, +Ad On Mon, Sep 16, 2024 at 12:54 PM Soren Stoutner wrote: > Adam, > > Did you read over the several other comments? > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1076655#152 > > On Monday, September 16, 2024 8:42:09 AM MST Adam Danischewski wrote: > > Hi Soren, > > > > Last I heard, you asked for me to remove the debian/files file from > Salsa. > > I did and responded but I haven't heard anything back since. > > > > Hope all is well, please let me know if you need anything and the status. > > > > Thanks, > > +Ad > > > -- > Soren Stoutner > so...@debian.org -- Adam Michael Danischewski Software Engineer Phone: (929) 308-9674 Email: adam.danischew...@gmail.com Github: http://github.com/AdamDanischewski
Bug#1079158: mirror submission for debian-mirror.behostings.net
Hi, https://mirror-master.debian.org/status/mirror-info/debian-mirror.behostings.net.html doesn't go back far enough to show what the problem was, but the negative "score" column indicates that there was some kind of issue with the mirror recently. The score needs to stay positive for enough days, then it will get automatically included in the published list. Regards, Adam On Fri, 2024-09-13 at 09:20 +0200, basi...@thgnet.net wrote: > Hi, > > Its been more than 13 days and our mirror has not been added to your > mirror list. > > Thank you. > > On 26-08-2024 15:32, Adam D. Barratt wrote: > > Hi, > > > > Yes, that seems like a reasonable solution. > > > > Regards, > > > > Adam > > > > On Mon, 2024-08-26 at 09:38 +0200, basi...@thgnet.net wrote: > > > Hi, currently, our "RSYNC_HOST="ftp.be.debian.org". > > > > > > so shall we change the rsync_host to "mirror.as35701.net" to fix > > > the > > > issue ? > > > > > > Awaiting your response. > > > > > > On 25-08-2024 17:35, Adam D. Barratt wrote: > > > > On Tue, 2024-08-20 at 15:32 +, basil mathews wrote: > > > > > Submission-Type: new > > > > > Site: debian-mirror.behostings.net > > > > Our automated checks noticed an issue with your setup: > > > > > > > > o We recommend mirrors not sync directly from service aliases > > > > such > > > > as > > > > ftp..debian.org (only HTTP is guaranteed to be > > > > available at > > > > ftp. sites). Maybe change your config to sync from > > > > the site currently backing the ftp..debian.org service > > > > you > > > > sync > > > > from? > > > > > > > > Regards, > > > > > > > > Adam >
Bug#1076655: Bug#1074463: Bug#1076655: Bug#1074463: bashbro
I removed the file via phone (1st time, hopefully it worked). [Adam Danischewski - Chat @ Spike](https://spikenow.com/r/a/?ref=spike-organic-signature&_ts=2rh5kr) [2rh5kr] On September 8, 2024 at 3:12 GMT, Soren Stoutner wrote: Adam, One additional comment: Your source tree contains a debian/files. This is an autogenerated file created (and deleted) during build. Running sbuild removes it, but to be clean you should probably remove it from Salsa. See: https://www.debian.org/doc/debian-policy/ch-source.html#generated-files-list-debian-files On Saturday, September 7, 2024 8:02:46 PM MST Soren Stoutner wrote: > Adam, > > Debian/copyright must specify a license for each entry. The one for debian/ * > is missing. > > W: bashbro source: missing-field-in-dep5-copyright License [debian/copyright: > 10] > N: > N: The paragraph in the machine readable copyright file is missing a field > N: that is required by the specification. > N: > N: Please refer to > N: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ for > N: details. > N: > N: Visibility: warning > N: Show-Always: no > N: Check: debian/copyright/dep5 > > You can see an example at: > > https://salsa.debian.org/soren/privacybrowser/-/blob/master/debian/ copyright? > ref_type=heads > > > You should add the following two lines to debian/control, which specify the > location of the packaging repository. > > Vcs-Git: https://salsa.debian.org/adanisch/bashbro.git > Vcs-Browser: https://salsa.debian.org/adanisch/bashbro > > You can see an example at: > > https://salsa.debian.org/soren/privacybrowser/-/blob/master/debian/control? > ref_type=heads > > > As the upstream README.md has important information for end users, you might > want to install it into /usr/share/doc/bashbro. You can do this by creating a > file named debian/docs and populating it with the single line: > > README.md > > Beyond the files dh_installdocs automatically installs, it will look for those > listed in debian/docs and install them into /usr/share/doc/bashbro. > > > This isn’t a problem for the packaging, but the upstream lists version 1.05 in > the header. It is fine to upload the Debian package that way, but you > probably want to either update the version number in the header with each > release or remove it. > > On Saturday, September 7, 2024 6:24:14 PM MST Adam Danischewski wrote: > > Hi Soren, > > > > If you could build it from the current repo that would be great! > > > > If there are any problems please let me know - I'll address them as soon as > > possible. > > > > Thanks, > > > > +Ad -- Soren Stoutner so...@debian.org
Bug#1076655: Bump - Any takers?
Control owner -1? [Adam Danischewski - Chat @ Spike](https://spikenow.com/r/a/?ref=spike-organic-signature&_ts=2rbwf2) [2rbwf2] On September 4, 2024 at 7:17 GMT, Soren Stoutner wrote: Control: owner -1 ! Adam, On Tuesday, September 3, 2024 9:44:36 PM MST Adam Danischewski wrote: > Still looking for a sponsor for Bashbro, it's a really useful tool. I’ll review and sponsor the package. The first thing I noticed is that the packaging repository mirrors things from the upstream repository that aren’t needed (and get in the way) and also is not efficient for handling future Debian updates. The following comes with a warning: there are a lot (a lot, a lot) of ways to maintain a Debian packaging repository. Some of them have very good reasons for existing. Many of them exist for historical reasons (they had a good reason at some point in the past and now it is a lot of work to change so they don't). For the purpose of simplicity, I am going to describe just one repository design to you without any analysis of any of the other options. I do so because this has become the current, most popular design. If you want a list of other options, just ask (and lots of people on Mentors will be willing to give you their favorites). What I am going to recommend to you is gbp (git-buildpackage). Gbp organizes your repository into three main branches. Because this is Debian, there is huge debate about what these three branches should even be called, but for simplicity’s sake I will give you the names as the gbp program currently creates them by default. master upstream pristine-tar Master contains the upstream source code combined with the debian directory. It is helpful to have these combined if you ever need to manage quilt patches. This branch contains tags for each Debian release. Upstream contains just the upstream source code, with tags for each upstream release. Pristine-tar can be used to generate the original upstream tarball (necessary for building the package) without the need to make a request to the upstream server (which might go offline at some point). This means that gbp can build any version ever released on Debian just from a clone of the packaging repository, even while offline. The gbp program will create and manage these repositories for you. https://tracker.debian.org/pkg/git-buildpackage I would recommend that you wipe out your current Salsa repository and create a new one using gbp. To do this, follow the instructions at: https://wiki.debian.org/PackagingWithGit#Importing_upstream_as_tarballs Basically, build the package locally, which will create a .dsc file. Then run: gbp import-dsc /path/to/package_0.1-1.dsc This will create a directory with a local git repository with the three branches listed above. You can then push that to Salsa. The beauty of gbp is that it makes updating to new releases very easy: gbp import-orig --uscan dch gbp buildpackage gbp tag gbp push gbp import-orig --uscan: This uses uscan to check for upstream updates, downloads them, unpacks them, tags them, and updates the three branches. dch: This edits the changelog. That is the only file in the debian directory that will need to be changed with every release. Obviously, if other files need to change, they should be edited at this stage as well. gbp buildpackage: This builds the package. Obviously, if there are any errors, they need to be fixed at this stage. gbp tag: This tags the Debian release. gbp push: This pushes all three branches and their tags to Salsa. From there, I can pull the branches, run gbp buildpackage, (check for any problems), and sponsor it. All of these program have command line switches that do extra stuff. For simplicity’s sake I have left those out of this description, but they are available in the man files (and gbp often will prompt you if one is mandatory based on the circumstances). If you have any questions, just feel free to ask. -- Soren Stoutner so...@debian.org
Bug#1074463: bashbro
Here is my response to John: Thanks for the thoughtful and quick response. It looks like python -m http.server does cover most of what Bashbro has to offer at the moment. But there is a big update on the way, adding more functionality and I will look at your security concerns. Some of the features are a way to filter (include/exclude) files shown, by file extension and regex fragment, shows the fs and how full it is on the directory displayed and will have an m3u view option that will allow filter configured page be copy/pasted via url into a streaming media player (e.g. vlc). Also the HTTP protocol handling will be updated. Here is a link to an image of the prototype, it's roughed in not the final appearance. The pie chart is written dynamically via javascript/canvas showing how much space is left on the filesystem. https://ibb.co/sbbMnLH So for instance, you might launch VLC (ctl+n) and paste something like: http://localhost:5544/media/media_clips/?m3u=true&filter_type=ALL_FILES&excludeFilters=&includeFilters=mp4 Note: Bashbro has the ability to jail to a directory or a single file which I'm not sure python does at present, which isn't I guess a huge bit of functionality but it can be useful if/when you want to share a single file. As for how the url encoding works, at present it relies on the browser. I plan on implementing RFC 3986 - I have recently written a few fast urlencoders recently and the awk version is practically as fast as my optimized C version (the awk version will be included in the future version of Bashbro) - you can find them on my blog if you're interested: https://scriptsandoneliners.blogspot.com/ For / support: Have you tried creating a file with a / in it? It's not possible afaik. But I'll probably try to cover those edge cases anyway where possible - newlines and /'s although legal tend to break a lot of things kind of like null characters in C strings. Anyway, thanks again for the consideration, +Ad On Wed, Sep 4, 2024 at 10:51 PM Soren Stoutner wrote: > John, > > Those are some good comments. Thanks. > > On Wednesday, September 4, 2024 6:35:33 PM MST John Goerzen wrote: > > Hello, > > > > Adam recently contacted me as a random DD, as he was interested in > > getting Bashbro into Debian. As a courtesy to the others that have > > visited with him about it, here is an excerpt of my response. > > > > Hi Adam, > > > > That's a pretty neat concept! I'm impressed - HTTP serving in bash. It > > wouldn't have occurred to me. A neat idea! And, I'm glad that you're > > interested in Debian! > > > > When considering adding a package to Debian, we remember that adding a > > package is expensive. That is, it requires infrastructure resources, > > human time (reviewing uploads, etc), bandwidth, disk space, etc. It > > also implies commitments for future humans: security team, etc. > > > > So there are some broad criteria we look at when considering adding a > > package: > > > > 1) Does it duplicate existing functionality? If so, is it sufficiently > > different/better to justify inclusion anyhow? > > > > 2) Is it likely to be actively maintained for the extended lifetime of a > > release (several years)? > > > > 3) Is it of high quality? > > > > Debian already contains this kind of functionality in the default > > install (run python -m http.server 9000, for instance; see > > https://docs.python.org/3/library/http.server.html#http-server-security > > ). There are also numerous other minimal HTTP servers in Debian > > already. So the question is: is this sufficiently better to justify the > > effort? > > > > The main thing I'm concerned about here is security. Writing HTTP code > > is notoriously difficult and I'm sure there have been thousands of CVEs > > over the years related to it. So off the bat, writing one's own > > HTTP-parsing code implies a base-level risk. > > > > I note you have made a solid effort to use good shell quoting > > practices -- excellent. Remember that on most Linux filesystems, every > > 8-bit character except 0x00 and '/' is valid in a filename. So, > > consider what would happen if you had to deal with a filename or a > > request: > > > > - Beginning with '-' > > - Beginning with "of=" > > - Contains '+', '?', ' ', or '&' > > - Containing %0D, %0A, %00, %20, %FF, or their unencoded versions > > - Is 1GB long (what does "read" do with that?) > > - Has headers that are 1GB long > > - Contains ANSI terminal-manipulation sequences > > - Con
Bug#1076655: Bump - Any takers?
Still looking for a sponsor for Bashbro, it's a really useful tool. -- Adam Michael Danischewski Software Engineer Phone: (929) 308-9674 Email: adam.danischew...@gmail.com Github: http://github.com/AdamDanischewski
Bug#1080418: override: systemd-timesyncd:admin/standard
On Tue, 2024-09-03 at 11:27 -0300, Santiago Ruano Rincón wrote: > Dear DSA, would it be possible to have the list of all the overrides > in bullseye, that would be needed to be sync'ed with bullseye- > security? Technically, yes, although I suspect that this may be something that ftp-master already have tooling / scripting around. It looks like the security.d.o dak database contains overrides for all packages in the main archive, even if they've not also been released via the security archive. That seems to imply that any override changes to testing and (old)*stable on ftp-master should also be synced to security-master. I wonder if that could be automated in some fashion. Regards, Adam
Bug#1080254: new upstream version 2.22
Package: mailfront Version: 2.12-3 Severity: wishlist Debian is currently shipping mailfront 2.12, but the current upstream version is 2.22.
Bug#1079454: bookworm-pu: package python-django/3:3.2.19-1+deb12u2
On Thu, 2024-08-29 at 16:05 +0100, Steve McIntyre wrote: > At this point, I would say let's be safe and hang back on the django > update this - it will wait for the next point release. Thanks; added to the list for Saturday. Regards, Adam
Bug#1079514: rustc-web 1.78.0+dfsg1-2~deb12u3 flagged for acceptance
package release.debian.org tags 1079514 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: rustc-web Version: 1.78.0+dfsg1-2~deb12u3 Explanation: fix conflicts and autopkg tests
Bug#1079515: rustc-web 1.78.0+dfsg1-2~deb11u3 flagged for acceptance
package release.debian.org tags 1079515 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: rustc-web Version: 1.78.0+dfsg1-2~deb11u3 Explanation: fix conflicts and autopkg tests
Bug#1079515: bullseye-pu: package rustc-web/1.78.0+dfsg1-2~deb11u1
On Wed, 2024-08-28 at 11:16 +0200, Emilio Pozuelo Monfort wrote:
> On 25/08/2024 11:16, Adam D. Barratt wrote:
>
[...]
> > Both the bullseye and bookworm builds fail on mips64el with:
> >
> > File "/<>/src/bootstrap/bootstrap.py", line 1175, in
> >
> > main()
> > File "/<>/src/bootstrap/bootstrap.py", line 1160,
> > in main
> > bootstrap(args)
> > File "/<>/src/bootstrap/bootstrap.py", line 1127,
> > in bootstrap
> > build.build_bootstrap()
> > File "/<>/src/bootstrap/bootstrap.py", line 880, in
> > build_bootstrap
> > args = self.build_bootstrap_cmd(env)
> > ^
> > File "/<>/src/bootstrap/bootstrap.py", line 983, in
> > build_bootstrap_cmd
> > raise Exception("no cargo executable found at `{}`".format(
> > Exception: no cargo executable found at `/usr/bin/cargo`
> > make[1]: *** [debian/rules:300: debian/dh_auto_build.stamp] Error 1
> > make[1]: Leaving directory '/<>'
> > make: *** [debian/rules:203: binary-arch] Error 2
>
> Those are expected. The reason is that there's no bootstrap binaries
> for mips{64,}el because upstream dropped their tier level and no
> longer provides them. So we'll have to drop (or keep an outdated)
> firefox/chromium binary. Note that for mipsel, this doesn't matter
> much, as llvm-16 isn't available either,
> and there are no firefox-esr/chromium/thunderbird builds there.
Thanks for the background.
Technically there /are/ firefox-esr builds on mipsel in bullseye, but
they're really old:
firefox-esr | 78.15.0esr-1~deb11u1 | oldstable |
source, mipsel
chromium doesn't build for mips* in any case, and bullseye-LTS won't
support mips*el. So the practical effect AFAICT is that we lose the
ability to build firefox-esr and thunderbird on mips64el for bookworm.
I /assume/ that isn't particularly an issue.
Regards,
Adam
Bug#1079158: mirror submission for debian-mirror.behostings.net
Hi, Yes, that seems like a reasonable solution. Regards, Adam On Mon, 2024-08-26 at 09:38 +0200, basi...@thgnet.net wrote: > Hi, currently, our "RSYNC_HOST="ftp.be.debian.org". > > so shall we change the rsync_host to "mirror.as35701.net" to fix the > issue ? > > Awaiting your response. > > On 25-08-2024 17:35, Adam D. Barratt wrote: > > On Tue, 2024-08-20 at 15:32 +, basil mathews wrote: > > > Submission-Type: new > > > Site: debian-mirror.behostings.net > > Our automated checks noticed an issue with your setup: > > > > o We recommend mirrors not sync directly from service aliases such > > as > > ftp..debian.org (only HTTP is guaranteed to be available at > > ftp. sites). Maybe change your config to sync from > > the site currently backing the ftp..debian.org service you > > sync > > from? > > > > Regards, > > > > Adam >
Bug#1079635: systemd 252.30-1~deb12u2 flagged for acceptance
package release.debian.org tags 1079635 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: systemd Version: 252.30-1~deb12u2 Explanation: avoid conffile prompt from updated comment
Bug#1079635: bookworm-pu: package systemd/252.30-1~deb12u2
Control: tags -1 + confirmed On Sun, 2024-08-25 at 18:50 +0100, Luca Boccassi wrote: > This upload backports one patch to revert adding a new comment that > was added in 252.30-1~deb12u1 to a conffile as indicated in: > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1079086#25 Thank you for preparing this so quickly. Please go ahead. Regards, Adam
Bug#1079086: systemd 252.30-1~deb12u1 flagged for acceptance
On Sun, 2024-08-25 at 18:44 +0200, Cyril Brulebois wrote: > Anyone having tweaked journald.conf is going to get a prompt because > of the following change: > > -#MaxRetentionSec= > +#MaxRetentionSec=0 > > That's not really something I'd expect from a point release… Apologies for missing that. Luca? Regards, Adam
Bug#1079158: mirror submission for debian-mirror.behostings.net
On Tue, 2024-08-20 at 15:32 +, basil mathews wrote: > Submission-Type: new > Site: debian-mirror.behostings.net Our automated checks noticed an issue with your setup: o We recommend mirrors not sync directly from service aliases such as ftp..debian.org (only HTTP is guaranteed to be available at ftp. sites). Maybe change your config to sync from the site currently backing the ftp..debian.org service you sync from? Regards, Adam
Bug#1079388: calibre 6.13.0+repack-2+deb12u4 flagged for acceptance
package release.debian.org tags 1079388 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: calibre Version: 6.13.0+repack-2+deb12u4 Explanation: fix remote code execution issue [CVE-2024-6782, cross site scripting issue [CVE-2024-7008], SQL injection issue [CVE-2024-7009]
Bug#1079597: calibre 5.12.0+dfsg-1+deb11u2 flagged for acceptance
package release.debian.org tags 1079597 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: calibre Version: 5.12.0+dfsg-1+deb11u2 Explanation: fix cross site scripting issue [CVE-2024-7008], SQL injection issue [CVE-2024-7009]
Bug#1079565: glogic 2.6-6+deb12u1 flagged for acceptance
package release.debian.org tags 1079565 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: glogic Version: 2.6-6+deb12u1 Explanation: require Gtk 3.0 and PangoCairo 1.0
Bug#1079579: cacti 1.2.24+ds1-1+deb12u4 flagged for acceptance
package release.debian.org tags 1079579 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: cacti Version: 1.2.24+ds1-1+deb12u4 Explanation: fix autopkgtest failure
Bug#1079460: initramfs-tools 0.142+deb12u1 flagged for acceptance
package release.debian.org tags 1079460 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: initramfs-tools Version: 0.142+deb12u1 Explanation: hook_functions: Fix copy_file with source including a directory symlink; hook-functions: copy_file: Canonicalise target filename; install hid-multitouch module for Surface Pro 4 Keyboard; add hyper-keyboard module, needed to enter LUKS password in Hyper-V; auto_add_modules: Add onboard_usb_hub, onboard_usb_dev
Bug#1079515: bullseye-pu: package rustc-web/1.78.0+dfsg1-2~deb11u1
On Sun, 2024-08-25 at 10:08 +0200, Paul Gevers wrote:
> Hi Emilio,
>
> On 24-08-2024 12:29, Emilio Pozuelo Monfort wrote:
> > Uploaded.
>
> The package fails its own autopkgtest. Did something go wrong?
>
> 63s autopkgtest [22:00:29]: test create-and-build-crate:
> [---
> 63s Created binary (application) `hello` package
> 63s error: no such subcommand: `add`
> 63s
> 63s Did you mean `doc`?
> 63s autopkgtest [22:00:29]: test create-and-build-crate:
> ---]
Both the bullseye and bookworm builds fail on mips64el with:
File "/<>/src/bootstrap/bootstrap.py", line 1175, in
main()
File "/<>/src/bootstrap/bootstrap.py", line 1160, in main
bootstrap(args)
File "/<>/src/bootstrap/bootstrap.py", line 1127, in bootstrap
build.build_bootstrap()
File "/<>/src/bootstrap/bootstrap.py", line 880, in
build_bootstrap
args = self.build_bootstrap_cmd(env)
^
File "/<>/src/bootstrap/bootstrap.py", line 983, in
build_bootstrap_cmd
raise Exception("no cargo executable found at `{}`".format(
Exception: no cargo executable found at `/usr/bin/cargo`
make[1]: *** [debian/rules:300: debian/dh_auto_build.stamp] Error 1
make[1]: Leaving directory '/<>'
make: *** [debian/rules:203: binary-arch] Error 2
Regards,
Adam
Bug#1079597: bullseye-pu: package calibre/5.12.0+dfsg-1+deb11u2
Control: tags -1 + confirmed On Sun, 2024-08-25 at 13:53 +0900, YOKOTA Hiroshi wrote: > Fix these CVEs: > * CVE-2024-7008 > * CVE-2024-7009 Please go ahead, bearing in mind that today is the last day to get fixes into the final bullseye point release. After that you will need to co-ordinate with the LTS Team. Regards, Adam
Bug#1079388: bookworm-pu: package calibre/6.13.0+repack-2+deb12u4
Control: tags -1 + confirmed On Fri, 2024-08-23 at 08:44 +0900, YOKOTA Hiroshi wrote: > Fix these CVEs: > * CVE-2024-6782 + fixup > * CVE-2024-7008 > * CVE-2024-7009 Please go ahead. Regards, Adam
Bug#1076335: libvirt 9.0.0-4+deb12u1 flagged for acceptance
package release.debian.org tags 1076335 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: libvirt Version: 9.0.0-4+deb12u1 Explanation: virsh: Make domif-setlink work more than once; qemu: domain: Fix logic when tainting domain; fix denial of service issues [CVE-2023-3750 CVE-2024-1441 CVE-2024-2494 CVE-2024-2496]
Bug#1076335: bookworm-pu: package libvirt/9.0.0-4
On Sat, 2024-08-24 at 23:12 +0200, Andrea Bolognani wrote: > After performing the upload ~4 hours ago, I have received a message > with subject > > libvirt_9.0.0-4+deb12u1_source.changes > ACCEPTED into proposed-updates->stable-new > > and (partial) contents > > Mapping bookworm to stable. > Mapping stable to proposed-updates. > > so I think I'm good? The tracker.d.o page hasn't been updated yet > though, and none of the bugs that the upload is supposed to close > have changed their state. This usually happens pretty quickly when > uploading to unstable. Your package is in the stable-new policy queue, as per the emails you received. It will stay there until SRM accept it. You don't need to do anything other than wait for that to happen, or an e-mail that says there's a problem. There's nothing for you to do in the meantime. Regards, Adam
Bug#1079579: bookworm-pu: package cacti/1.2.24+ds1-1+deb12u4
Control: tags -1 + confirmed On Sat, 2024-08-24 at 20:28 +, Bastien Roucariès wrote: > Previous upload fail debci, forget to backport test If you're going to CC people on bug submissions, _please_ use X- Debbugs-CC. Otherwise we just get a mail telling us that a bug is about to exist, with no bug number, which isn't really that useful. Paul also told you on IRC that you could upload at the same time as filing the bug. So... please go ahead. Regards, Adam
Bug#1079565: bookworm-pu: package glogic/2.6-6+deb12u1 (pre-approval)
Control: tags -1 + confirmed
On Sat, 2024-08-24 at 17:55 +0200, Andreas Rönnquist wrote:
> glogic crashes on startup in stable:
>
> > /usr/lib/python3/dist-packages/glogic/MainFrame.py:4: PyGIWarning:
> > Gtk
> > was imported without specifying a version first. Use
> > gi.require_version('Gtk', '4.0') before import to ensure that the
> > right version gets loaded.
> > from gi.repository import Gtk, Gdk, GdkPixbuf
> > Traceback (most recent call last):
> > File "/usr/bin/glogic", line 20, in
> > from glogic.MainFrame import MainFrame
> > File "/usr/lib/python3/dist-packages/glogic/MainFrame.py", line
> > 18,
> > in themed_icons = Gtk.IconTheme.get_default()
> > ^^^^^
> > AttributeError: type object 'IconTheme' has no attribute
> > 'get_default'
Please go ahead.
Regards,
Adam
Bug#1079543: amd64-microcode 3.20240820.1~deb12u1 flagged for acceptance
package release.debian.org tags 1079543 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: amd64-microcode Version: 3.20240820.1~deb12u1 Explanation: SEV firmware fixes [CVE-2023-20584 CVE-2023-31356]
Bug#1079544: amd64-microcode 3.20240820.1~deb11u1 flagged for acceptance
package release.debian.org tags 1079544 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: amd64-microcode Version: 3.20240820.1~deb11u1 Explanation: SEV firmware fixes [CVE-2023-20584 CVE-2023-31356]
Bug#1076335: bookworm-pu: package libvirt/9.0.0-4
On Sat, 2024-08-24 at 15:41 +0200, Andrea Bolognani wrote: > Just so that we're on the same page, do you want me to share the > debdiff here and get an explicit ACK from you before proceeding with > the upload, or should I go for the the upload first in the interest > of time? If the change from the previously-acked diff is just the addition of the new patch as per the MR, and a changelog entry for it, then feel free to upload without waiting for a new ack. Please do still send the new debdiff to this bug. Regards, Adam
Bug#1079515: rustc-web 1.78.0+dfsg1-2~deb11u2 flagged for acceptance
package release.debian.org tags 1079515 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: rustc-web Version: 1.78.0+dfsg1-2~deb11u2 Explanation: new upstream stable release, to support building new chromium and firefox-esr versions
Bug#1079515: rustc-web 1.78.0+dfsg1-2~deb11u1 flagged for acceptance
package release.debian.org tags 1079515 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: rustc-web Version: 1.78.0+dfsg1-2~deb11u1 Explanation: new upstream stable release, to support building new chromium and firefox-esr versions
Bug#1079450: curl 7.74.0-1.3+deb11u13 flagged for acceptance
package release.debian.org tags 1079450 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: curl Version: 7.74.0-1.3+deb11u13 Explanation: fix ASN.1 date parser overread issue [CVE-2024-7264]
Bug#1079514: rustc-web 1.78.0+dfsg1-2~deb12u1 flagged for acceptance
package release.debian.org tags 1079514 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: rustc-web Version: 1.78.0+dfsg1-2~deb12u1 Explanation: new upstream stable release, to support building new chromium and firefox-esr versions
Bug#1079514: rustc-web 1.78.0+dfsg1-2~deb12u2 flagged for acceptance
package release.debian.org tags 1079514 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: rustc-web Version: 1.78.0+dfsg1-2~deb12u2 Explanation: new upstream stable release, to support building new chromium and firefox-esr versions
Bug#1079454: python-django 3.2.19-1+deb12u2 flagged for acceptance
package release.debian.org tags 1079454 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: python-django Version: 3.2.19-1+deb12u2 Explanation: fix regular expression-based denial of service issue [CVE-2023-36053], denial of service issues [CVE-2024-38875 CVE-2024-39614 CVE-2024-41990 CVE-2024-41991], user enumeration issue [CVE-2024-39329], directory traversal issue [CVE-2024-39330], excessive memory consumption issue [CVE-2024-41989], SQL injection issue [CVE-2024-42005]
Bug#1076335: bookworm-pu: package libvirt/9.0.0-4
On Sat, 2024-08-24 at 14:58 +0200, Andrea Bolognani wrote: > thank you for looking into this and sorry for the late reply. I had > to focus all my Debian time on something else for a couple of weeks. > > In the meantime, this MR was opened asking for an additional bugfix > to be included in the next upload targeting bookworm: > > https://salsa.debian.org/libvirt-team/libvirt/-/merge_requests/227 > > What is the Release Team's preference here? Should I go ahead with > the upload that was originally agreed upon, or should I prepare a > debdiff that includes the additional changes so that you can have > another look and we can have a single upload covering everything? Well... I'd be OK with including that fix as well, but it depends how quickly you can handle things, and how urgent the other fixes are. The window for getting updates into the 12.7 point release closes this weekend, and it's already Saturday afternoon. If you can update your package to include the new fix and get it uploaded in time (with a new debdiff added to this bug log for the record) then fine. Regards, Adam
Bug#1079543: bookworm-pu: package amd64-microcode/3.20240820.1~deb12u1
Control: tags -1 + confirmed On Sat, 2024-08-24 at 09:51 -0300, Henrique de Moraes Holschuh wrote: > I would like to bring the *firmware* update level for AMD processors > in Bullseye and Bookworm to match what we have in Sid and Trixie. > This is the bug report for Bookworm, a separate one will be filled > for Bullseye. > > The update is a security update for AMD-SEV (AMD-SB-3003). It does > not change the processor microcode. Please go ahead. Regards, Adam
Bug#1079544: bullseye-pu: package amd64-microcode/3.20240820.1~deb11u1
Control: tags -1 + confirmed On Sat, 2024-08-24 at 09:52 -0300, Henrique de Moraes Holschuh wrote: > I would like to bring the *firmware* update level for AMD processors > in Bullseye and Bookworm to match what we have in Sid and Trixie. > This is the bug report for Bullseye, a separate one will be filled > for Bookworm. > > The update is a security update for AMD-SEV (AMD-SB-3003). It does > not change the processor microcode. Please go ahead. Regards, Adam
Bug#1079515: bullseye-pu: package rustc-web/1.78.0+dfsg1-2~deb11u1
Control: tags -1 + moreinfo
On Sat, 2024-08-24 at 10:27 +0200, Emilio Pozuelo Monfort wrote:
> This backports 1.78 from bookworm to bullseye. The changes are
> minimal.
> Again I haven't been able to build firefox against it yet, as I'm
> having trouble with the FF build and OOM issues. Would be good to get
> this accepted so that it can be built, and I'll keep working on that
> build and report here.
As noted on IRC, the binary package rename need to include rustfmt{,-dbgsym}:
rustfmt | 1.63.0+dfsg1-2 | stable| amd64, arm64, armel,
armhf, i386, mips64el, mipsel, ppc64el, s390x
rustfmt | 1.78.0+dfsg1-2~deb11u1 | oldstable-new | amd64
rustfmt | 1.78.0+dfsg1-2~deb12u1 | stable-new| amd64
rustfmt | 1.79.0+dfsg1-2 | testing | amd64, arm64, armel,
armhf, i386, mips64el, ppc64el, riscv64, s390x
rustfmt | 1.79.0+dfsg1-2 | unstable | amd64, arm64, armel,
armhf, i386, mips64el, ppc64el, riscv64, s390x
rustfmt | 1.80.1+dfsg1-1~exp1| experimental | amd64, arm64, armel,
armhf, i386, mips64el, ppc64el, riscv64, s390x
rustfmt-web | 1.70.0+dfsg1-7~deb11u1 | oldstable | amd64, arm64, armhf,
i386, mips64el, ppc64el, s390x
rustfmt-web | 1.70.0+dfsg1-7~deb12u2 | stable| amd64, arm64, armhf,
i386, mips64el, ppc64el, s390x
A new upload is planned, but setting moreinfo for now.
Regards,
Adam
Bug#1079514: bookworm-pu: package rustc-web/1.78.0+dfsg1-2~deb12u1
Control: tags -1 + moreinfo
On Sat, 2024-08-24 at 10:25 +0200, Emilio Pozuelo Monfort wrote:
> This is an update for rustc-web to a newer release, needed by both
> newer chromium and firefox ESR 128 (turns out the version I
> backported
> was fine for firefox 125 in sid at the time, but 128 bumped it). I've
> gone for rustc 1.78 because it can be built with LLVM 16. For the
> next
> firefox ESR release (in about a year) or perhaps earlier for chromium
> we'll probably need to update rustc and backport a newer LLVM.
As noted on IRC, the binary package rename need to include rustfmt{,-dbgsym}:
rustfmt | 1.63.0+dfsg1-2 | stable| amd64, arm64, armel,
armhf, i386, mips64el, mipsel, ppc64el, s390x
rustfmt | 1.78.0+dfsg1-2~deb11u1 | oldstable-new | amd64
rustfmt | 1.78.0+dfsg1-2~deb12u1 | stable-new| amd64
rustfmt | 1.79.0+dfsg1-2 | testing | amd64, arm64, armel,
armhf, i386, mips64el, ppc64el, riscv64, s390x
rustfmt | 1.79.0+dfsg1-2 | unstable | amd64, arm64, armel,
armhf, i386, mips64el, ppc64el, riscv64, s390x
rustfmt | 1.80.1+dfsg1-1~exp1| experimental | amd64, arm64, armel,
armhf, i386, mips64el, ppc64el, riscv64, s390x
rustfmt-web | 1.70.0+dfsg1-7~deb11u1 | oldstable | amd64, arm64, armhf,
i386, mips64el, ppc64el, s390x
rustfmt-web | 1.70.0+dfsg1-7~deb12u2 | stable| amd64, arm64, armhf,
i386, mips64el, ppc64el, s390x
A new upload is planned, but setting moreinfo for now.
Regards,
Adam
Bug#1079450: bullseye-pu: package curl/7.74.0-1.3+deb11u13
Control: tags -1 + confirmed On Fri, 2024-08-23 at 08:16 -0300, Carlos Henrique Lima Melara wrote: > [ Reason ] > The reason is to fix CVE-2024-7264 [1] by cherry-picking and > backporting the upstream fixes released in curl 8.9.1. Please go ahead, bearing in mind that the window for the final bullseye point release closes this weekend. (Although you can of course co- ordinate with the LTS Team after that if need be.) Regards, Adam
Bug#1079460: bookworm-pu: package initramfs-tools/0.142+deb12u1
Control: tags -1 + confirmed On Fri, 2024-08-23 at 15:22 +0200, Ben Hutchings wrote: > - Some important drivers are currently not included in the initramfs > by default. > - If the same file is added to the initramfs and named through > multiple directory symlinks, it is duplicated in the initramfs. [...] > The change to symlink handling has been tested together with > firmware-nvidia-graphics from unstable. I will also test > the backport with reiserfsprogs (not yet done). [...] > There is some risk of regression from changes to the handling of > symlinked directories. The initial fix for this led to breakage > for reiserfsprogs (bug #1079276), but that has been resolved. Please go ahead. Note that the window for getting fixes into 12.7 will close this weekend. Regards, Adam
Bug#1079313: mlpost 0.8.2-4+deb11u1 flagged for acceptance
package release.debian.org tags 1079313 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: mlpost Version: 0.8.2-4+deb11u1 Explanation: fix build failure with newer ImageMagick versions
Bug#1079291: healpix-java 3.60+ds-4+deb11u1 flagged for acceptance
package release.debian.org tags 1079291 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: healpix-java Version: 3.60+ds-4+deb11u1 Explanation: fix build failure
Bug#1079271: trinity 1.9+git20200331.4d2343bd18c7b-2+deb11u1 flagged for acceptance
package release.debian.org tags 1079271 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: trinity Version: 1.9+git20200331.4d2343bd18c7b-2+deb11u1 Explanation: fix build failure by dropping support for DECNET
Bug#1079144: gettext.js 0.7.0-2+deb11u1 flagged for acceptance
package release.debian.org tags 1079144 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: gettext.js Version: 0.7.0-2+deb11u1 Explanation: fix server side request forgery issue [CVE-2024-43370]
Bug#1079353: cacti 1.2.24+ds1-1+deb12u3 flagged for acceptance
package release.debian.org tags 1079353 = bookworm pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm. Thanks for your contribution! Upload details == Package: cacti Version: 1.2.24+ds1-1+deb12u3 Explanation:
